Many technology companies have successfully built their businesses around health data analytics. However, they operate in treacherous territory due to the sensitive nature of this information and face the challenge of complying with the laws that govern the processing of this data.
In numerous countries and regions, health data is classified as sensitive data. For example, in the European Union, the General Data Protection Regulation (GDPR) recognizes health data as a special category of personal data. The GDPR requires extra safeguards to ensure that this data is processed appropriately in order to protect the persons to whom the data relates. These measures are essential due to the harm that can be caused and trauma that might be suffered by persons if their medical and health data is handled irresponsibly or ends up in the wrong hands.
In this article, we’ll explore two real-life cautionary tales of health data companies that didn’t comply with privacy regulations and, as a result, were hit with significant fines. Both are stark reminders of the responsibilities and potential consequences of processing health data without regard for privacy laws.
Media Group Fined €380,000 for Unlawfully Processing Health Data
In May 2023, the Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection authority, imposed a fine of €380,000 on Doctissimo, a health and wellness media group, for multiple breaches of the GDPR and France’s Data Protection Act. The CNIL found that Doctissimo collected persons’ health data through tests and quizzes offered on its website without properly informing users or obtaining their consent, as required by Article 9 of the GDPR.
In addition, the CNIL determined that Doctissimo retained data for longer than necessary and did not anonymize the data of users whose accounts had been inactive for more than three years.
The CNIL also sanctioned the company for not ensuring the security of users’ data. For example, it used the insecure “http” protocol up to October 2019 and did not store passwords in a secure format. The authority also found that Doctissimo processed personal data in conjunction with other companies, but did not have formal agreements with them specifying the division of responsibilities as required by Article 26 of the GDPR.
Lastly, the CNIL fined Doctissimo for storing certain advertising cookies on users’ devices despite user refusal.
Fertility App May Have to Pay $200,000 for Unlawfully Sharing Health Data
On May 17, 2023, the United States Federal Trade Commission (FTC) published its proposed settlement against Easy Healthcare Corporation, the developer of the Premom fertility mobile app, over allegations of infringing the Health Breach Notification Rule (“the Rule”) as well as the state and local laws of Connecticut, the District of Columbia, and Oregon. The Rule requires companies that sell personal health records to notify consumers if there is a breach concerning unsecured health data. According to the FTC, such a breach occurred because the company shared users’ health data with third parties (AppsFlyer and Google) without notifying those users, despite its privacy notices stating that such sharing would not take place. The policies asserted that user data would not be shared with third parties without users’ knowledge or consent, that only non-identifiable data would be shared, and that data would be used for the company’s own analytics or advertising purposes only. The FTC argues that Premom broke its promises to consumers and compromised their privacy.
If approved by a federal court, the proposed order would prohibit the company from sharing users’ health data with third parties for advertising purposes. Easy Healthcare Corporation would be required to obtain users’ consent before sharing health data for any new purpose and to inform consumers about the use of their personal data.
Increasing Regulatory Activity in the Health Data Space
The FTC’s action against Easy Healthcare is the latest in a series of crackdowns on digital health companies. Earlier this year, the FTC proposed a ban on the GoodRx app sharing users’ health data for advertising. That was followed by BetterHelp’s March settlement with the FTC for allegedly sharing information about users’ mental health concerns with outside companies like Facebook and Snapchat. These actions come at a time when regulation of health data processing is increasing, and new laws are being issued in this regard. Washington’s new My Health, My Data Act is a recent example.
How to Comply with the Requirements to Process Health Data
To avoid sanctions, fines, and reputational damage, companies should ensure that their data processing activities comply with applicable laws.
In the U.S. companies must comply with Section 5 of the FTC Act which requires being truthful and upholding the promises made in privacy notices. You can find more information about language in privacy notices in our blog post “Lessons from FTC Enforcement on Security Language in Privacy Notices.” Further, even when applicable laws don’t require it, companies should adhere to best practices for informing users of how their data, including health data, will be processed and obtain their consent to do so when appropriate.
The GDPR’s requirements are more stringent. If the GDPR applies, there are very few instances where health data can be shared without prior consent from the user.
While compliance with these requirements can present challenges, it also offers an opportunity for companies to protect their interests and maintain a positive reputation. The potential consequences of legal violations serve as a reminder of the importance of diligently adhering to privacy laws and regulations. By embracing these requirements, companies can proactively safeguard data, enhance trust with their users, and position themselves as responsible custodians of personal information.
With the support of experienced privacy and data protection advisors like VeraSafe, navigating the compliance landscape becomes an empowering journey towards achieving legal compliance, ensuring data protection, and fostering a culture of privacy excellence.
You may also like:
GDPR Data Breach Notification: What You Need to Know as a Data Controller
Four Strikes and You’re Out: Multiple Data Breaches by Education Tech Company
Lessons from FTC Enforcement on Security Language in Privacy Notices